aws-iam

AWS IAM — Common Pitfalls About This Skill This skill contains verified corrections for things that AI agents frequently get wrong about IAM. It is not a comprehensive IAM guide — for full IAM guidance, search AWS documentation. When answering IAM questions, verify specific claims (limits, quotas, exact API names, edge-case behaviors) against official AWS documentation rather than relying on pre-training. Prefer fetching known documentation URLs over broad searches. Trust official documentation over memory when they conflict. Verified Edge Cases CloudTrail: AcceptHandshake/DeclineHandshake logged in ACTING account ONLY, not management account. Organization trail required for centralization. ConsoleLogin region varies by endpoint/cookies, NOT always us-east-1. ?region= forces specific region. STS: GetSessionToken restrictions: (1) No IAM APIs unless MFA included (2) No STS except AssumeRole and GetCallerIdentity. Cross-account AssumeRole to opt-in region: TARGET account must enable region, not calling account. Role chaining: max 1-hour session. Organizations: Suspended/closed accounts CANNOT be removed until permanently closed (~90 days). Remove FIRST, then close. Policy management delegation: use PutResourcePolicy, NOT register-delegated-administrator. AI opt-out policies: management account required by default. Organizations policy types for ListPolicies filter: SERVICE_CONTROL_POLICY, TAG_POLICY, BACKUP_POLICY, AISERVICES_OPT_OUT_POLICY, CHATBOT_POLICY, DECLARATIVE_POLICY_EC2, RESOURCE_CONTROL_POLICY. SDK Specifics: Organizations: DuplicatePolicyAttachmentException (not PolicyAlreadyAttachedException). Boto3 IAM AccessKey: methods are activate() , deactivate() , delete() — NO update() . Instance profiles: waiter + time.sleep(10) pattern. Managed policy max versions: 5. SAML: Encrypted assertions URL: https://region-code.signin.aws.amazon.com/saml/acs/IdP-ID . Private key from IdP uploaded to IAM in .pem format. Policy Evaluation: ForAllValues with empty/missing key: evaluates to true (vacuous truth). To avoid that, use a Null condition in addition to the ForAllValues on the same context key to require that key to be present and non-null. For example, when evaluating the aws:TagKeys context key: { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": ["Alpha", "Beta"] }, "Null": { "aws:TagKeys": "false" } } } } Resource-based policies granting to IAM user ARN bypass permissions boundaries in same account. 8 privilege escalation actions via direct IAM policy manipulation: PutGroupPolicy, PutRolePolicy, PutUserPolicy, CreatePolicy, CreatePolicyVersion, AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy. iam:PassRole with Resource: "" + create/update on a compute service (EC2 RunInstances , Lambda CreateFunction / UpdateFunctionConfiguration , ECS RegisterTaskDefinition , Glue, SageMaker, CloudFormation, etc.) = privilege escalation to any passable role in the account, including Administrator. Scope Resource to specific role ARNs or an IAM path; optionally constrain with iam:PassedToService / iam:AssociatedResourceArn . See IAM User Guide — Grant a user permissions to pass a role . MFA: Unassigned virtual MFA devices auto-deleted when adding new ones. MFA resync-only policy NotAction needs exactly: iam:ListMFADevices, iam:ListVirtualMFADevices, iam:ResyncMFADevice. SigV4: IncompleteSignatureException includes SHA-256 hash of Authorization header for transit modification diagnosis. Service-Specific Roles: Redshift Serverless trust policy: include BOTH redshift-serverless.amazonaws.com AND redshift.amazonaws.com as service principals (per AWS docs; omitting serverless causes Not authorized to get credentials of role on COPY). IAM OIDC providers: thumbprints no longer required for most providers (AWS verifies via trusted CAs since 2022). Policy Summary Display: Single statement with multi-service wildcard actions (e.g. codebuild: , codecommit: ) + service-specific resource ARNs: each resource appears ONLY under its matching service's summary (CodeBuild ARN under CodeBuild, etc.). A resource whose service prefix matches NO action in the statement is the only case where it appears in all action summaries ("mismatched resource").